CVE-2026-4065

Name of the Vulnerable Software and Affected Versions Smart Slider 3 plugin for WordPress versions up to and including 3.5.1.33

Description The Smart Slider 3 plugin for WordPress is susceptible to unauthorized data access and modification. This is due to the absence of capability checks in multiple wp ajax smart-slider3 controller actions. The display admin ajax() method lacks a call to checkForCap(), which requires unfiltered html capability. Several controller actions only validate the nonce (validateToken()) without validating permissions. This allows authenticated attackers with Contributor-level access or higher to enumerate slider metadata and create, modify, and delete image storage records by leveraging the nextend nonce exposed on post editor pages.

Recommendations Update to a version beyond 3.5.1.33